Subversion HTTP servers 1.7.0 to 1.7.8 (inclusive) are vulnerable
to a remotely triggerable segfault DoS vulnerability.
Summary:
========
Subversion's mod_dav_svn Apache HTTPD server module will crash when
a log REPORT request receives a limit that is out of the allowed range.
This can lead to a DoS. There are no known instances of this
problem being used as a DoS in the wild.
Known vulnerable:
=================
Subversion HTTPD servers 1.7.0 through 1.7.8 (inclusive)
Known fixed:
============
Subversion 1.7.9
svnserve (any version) is not vulnerable
Details:
========
The vulnerability can be triggered by doing a log REPORT request with a
limit outside the allowed range.
For example where http://127.0.0.1:8080/repo is the root of a repository:
curl -X REPORT --data-binary @log_report 'http://127.0.0.1:8080/repo/!svn/bc/1/'
Where a file exists named log_report and has the following contents:
019223372036854775807
The limit is defined as an int, which is generally a 32-bit value. Prior to
1.7.0 such a request would have caused the limit to wrap and not necessarily
reflected what the requestor intended. In 1.7.0 code was added to detect this
and reject out of range values as errors. However, the error code ends up
causing the attempted use of a variable that has not been set, resulting in
the segfault.
Severity:
=========
CVSSv2 Base Score: 5.0
CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
We consider this to be a medium risk vulnerability. Configurations which
allow anonymous read access to the repository will be vulnerable to this
without authentication.
A remote attacker may be able to crash a Subversion server. Many Apache
servers will respawn the listener processes, but a determined attacker
will be able to crash these processes as they appear, denying service to
legitimate users. Servers using threaded MPMs will close the connection
on other clients being served by the same process that services the
REPORT request from the attacker.
Recommendations:
================
We recommend all users to upgrade to Subversion 1.7.9. Users of
Subversion 1.7.x who are unable to upgrade may apply the
included patch.
New Subversion packages can be found at:
http://subversion.apache.org/packages.html
There is no httpd configuration that can counter this issue.
References:
===========
CVE-2013-1884 (Subversion)
Reported by:
============
Greg McMullin, Stefan Fuhrmann, Philip Martin & Ben Reser, WANdisco
Patches:
========
Patch against 1.7.8:
[[[
Index: subversion/mod_dav_svn/reports/log.c
===================================================================
--- subversion/mod_dav_svn/reports/log.c (revision 1459527)
+++ subversion/mod_dav_svn/reports/log.c (working copy)
@@ -341,10 +341,9 @@ dav_svn__log_report(const dav_resource *resource,
dav_xml_get_cdata(child, resource->pool, 1));
if (serr)
{
- derr = dav_svn__convert_err(serr, HTTP_BAD_REQUEST,
+ return dav_svn__convert_err(serr, HTTP_BAD_REQUEST,
"Malformed CDATA in element "
"\"limit\"", resource->pool);
- goto cleanup;
}
}
else if (strcmp(child->name, "discover-changed-paths") == 0)
]]]